How to Avoid a Mat Honan Style Mac & iCloud Hack

UPDATE: For those interested, we’ve done some investigation into what exactly happens during a remote wipe of a Mac via iCloud. You can read our findings here.

By now, the news of Wired journalist Mat Honan’s “Epic Hacking” has hit the mainstream news. Late last week, in a matter of minutes, Mr. Honan lost control of his Gmail, Twitter, Amazon, and Apple accounts to a brutal hack and saw his personal data on computers and devices in his possession wiped away in front of his eyes.

Hacking is something we’ve come to expect in our digitally connected world. It seems that not a week goes by without news of some celebrity, business, or government being hacked and personal data becoming compromised.

We provide a summary of what happened to Mr. Honan’s digital life so that you can fully understand it. We also offer some tips on how to prevent the same thing from happening to you, and if you don’t need the background, feel free to skip directly to that section.

The Hack

Step 1: Hackers targeted Mr. Honan due to his unique Twitter handle: @mat. From the information in his public Twitter profile, they found his personal website, which listed Mr. Honan’s Gmail address.

Step 2: Now in possession of Mr. Honan’s Gmail address, the hackers went to Gmail’s account recovery page. In the absence of Google’s 2-Step Verification security setup (explained below), Google offered to send a password recovery link to Mr. Honan’s alternate email address. To help users remember what their alternate email address is, Google displays it partially obscured. In Mr. Honan’s case (m****n@me.com), it was enough for the hackers to guess the address.

Now the hackers knew that Mr. Honan had an iCloud account, but they would need to get access to it in order to take over his Gmail and then Twitter accounts. According to Mr. Honan, and verified by TMO (although by the time we called, Apple was already under pressure due to the negative media coverage of this incident and was reluctant to give any information at all), Apple only requires a billing address and the last four digits of a credit card on file with them in order to gain access to an iCloud account.

Step 3: In the case of Mr. Honan, the billing address was obtained by performing a “WHOIS” (pronounced “who is”) search on his website domain. Website domains are required to have the contact information of the domain registrants (although you can use services to keep your personal information private, as discussed below). Mr. Honan used his billing address to register his domain and did not use a privacy service. His billing address information was therefore freely available to anyone with an internet connection.

Of course, as Mr. Honan points out in his Wired article, White Page listings or other address lookup tools can easily provide the billing address of anyone who uses their publicly-listed physical address as their billing address.

Step 4: Now the hackers needed the last four digits of Mr. Honan’s credit card. Assuming that Mr. Honan had an Amazon account, the hackers called the company and identified themselves as Mr. Honan by using the items they had already obtained: Mr. Honan’s name, email address, and billing address. They told the representative that they wanted to add a credit card to the account.

Using any credit card number that would pass the Credit Card industry’s self-check algorithm (meaning that, while the card will not work if something is actually charged to it, it can be entered into a company’s database without returning an error) the hackers successfully added a new credit card number to Mr. Honan’s Amazon account that only they knew. In Mr. Honan’s case, it’s not clear if the hackers used a stolen credit card or one of several credit card number generators that can be found online.

Step 5: Now that the hackers had a full credit card number on file with Amazon, they called back a minute later and spoke to a different representative. They told the Amazon representative that they had lost access to their account. Now armed with a name, email address, billing address, and full credit card number on file, the hackers were able to add their own email address to Mr. Honan’s Amazon account and send a password reset email to that new address.

Step 6: The hackers now had complete access to Mr. Honan’s Amazon account. This still didn’t give them access to his entire valid credit card number, but it did give them the last four digits, which is exactly what they needed to persuade Apple to give them access to his iCloud account.

The hackers called AppleCare, identified themselves as Mr. Honan and provided his iCloud email address, billing address, and the last four digits of the credit card. Apple in turn gave them access to Mr. Honan’s iCloud account and from there the dominos fell: they reset his Gmail password, reset his Twitter password, and now had complete control over his digital life.

Step 7: With complete access to Mr. Honan’s accounts, one of the hackers decided to go a step further and use iCloud’s “Find My iPhone/Mac” to remotely wipe Mr. Honan’s iPhone, iPad, and MacBook. The last wipe was particularly devastating, as it destroyed the only copies of many photographs Mr. Honan possessed of his young daughter and deceased relatives.

The reality is that any consumer, business, or government is vulnerable to hacking. There is no such thing as a totally secure system and we accept this slightly increased risk as a trade off for the benefits of digital commerce and communication. However, several factors combined to make Mr. Honan’s experience especially crippling. Some of these factors are the fault of companies like Amazon and Apple, others rest on Mr. Honan’s shoulders.

As consumers, we can’t directly control the policies of online companies, or the actions of those companies’ employees. We can, however, take steps to correct the mistakes that Mr. Honan made so that we don’t one day find ourselves in his shoes.

Mr. Honan is a journalist, and so he needs to have a greater public profile than most individuals. However, be mindful of personal information that you provide online. Mr. Honan’s Twitter account linked to his personal webpage that contained his personal email and street address.

Some individuals, due either to the demands of their career or their personal preference, need to have all of their online and physical details linked (a Twitter account that links to a Facebook account that contains a birthday and phone number, for example). For maximum security, keep all this information separate, if possible, and don’t post a physical address, telephone number, or birthdate unless it’s necessary.

Google launched it’s optional 2-step verification process in early 2011, and many other online services, particularly those offered by financial institutions, have followed suit with similar security measures.

In short, 2-step verification adds a second layer of protection for accessing your account. In addition to your password, Google will send a code to your cell phone that must also be entered in order to log in. This code is unique and changes with each log in, so it is very difficult to crack unless the hackers also have access to your cell phone.

Despite the increased security that 2-step verification offers, it does make logging in to Google slightly more inconvenient and, as a result, many users choose not to turn it on, as was the case with Mr. Honan. Had he activated 2-step verification, the hackers would have been stuck early on in the process and would have either given up or been forced to pursue an alternate route.

While this won’t apply to everyone, those with website domains registered in their own names should use a Domain Privacy Service. This service, offered through your domain registrar or third party, acts as a representative for the WHOIS listing, providing their contact information instead of yours.

These services are not bulletproof — a formal request, cease and desist letter, or court order can require the service to release your true contact information — but they provide a screen that can stop individuals with nefarious intent from easily getting your address and phone number.

Some accounts allow (or require) a “secondary” email address in order to provide password recovery. Mr. Honan ran into trouble because his iCloud email address was linked to his Gmail address. With free email addresses available from a number of services, creating a separate, secure email address solely for the purpose of password recovery can limit a hacker’s ability to gain more information about you.

In Mr. Honan’s case, his password wasn’t needed as the hackers simply used other means to gain access to his accounts. Secure passwords are still important, however, and short, simple passwords should be changed to something harder to crack.

Long passwords with random alphanumeric characters and symbols are the most secure, but often difficult to remember. Password generators, such as ones built in to software like 1Password or Apple’s Keychain Password Assistant, can create secure passwords that are easier to remember by performing such tricks as replacing letters in common words with similar numbers, such as “W3LC0ME.”

Another trick is to use a common password that is easy to remember, but surround it with a large number of repeating characters. For example: “aaaaaTMO!!!!!” The “TMO” is easy to remember and it is surrounded with five “a” and “!” characters. Even though those characters repeat, from the perspective of a brute force attack, each additional character significantly increases the amount of time it takes to crack the password.

And, regardless of how you choose to improve your password, make sure to change it at least every six months. Doing so will limit your risk in the event that you inadvertently give out your password or in the event that your online service is itself hacked and user passwords are exposed.

Don’t Use Find My iPhone/Mac

The “Find My iDevice” feature of iCloud has many advantages, including the ability to help recover a lost or stolen phone. It also offers a security feature that allows you to wipe your iPhone, iPad, or Mac if you think it’s been stolen. Unfortunately, if someone other than yourself has access to your iCloud account, they can wipe your devices with just a few clicks of the mouse.

Individuals who travel frequently, are prone to lose things, or carry extremely sensitive information on their Mac might consider leaving the Find My Device feature turned on. For many other users, it has the potential to cause more problems than it solves should your account ever become hacked.

As a compromise, mentioned by Mr. Honan, users might consider leaving “Find My iPhone” turned on, but disabling the feature for their Mac. Phones and tablets are more likely to become lost or stolen than laptops and desktops.

If you don’t want to use Find My Mac, but still have sensitive data on your computer that you don’t want to become exposed should the machine be lost or stolen, consider using a method of whole disk encryption, such as FileVault 2, PGP, or TrueCrypt. This will prevent all but the most advanced hackers from accessing the data stored on your drive (although it is still only as secure as the password you use).

Perhaps the most tragic part of Mr. Honan’s experience was the loss of his digital photographs when his MacBook was remotely wiped. Had he had a sufficient backup, all would not have been lost.

Backing up your digital files is the single most important thing that every computer user should do. Files that exist in only one location may as well not exist at all, as any number of events — a hack, a drive failure, power surge, flood, fire, or theft — can cause the immediate, and permanent, loss of those files.

Users should back up their important and irreplaceable data via at least two methods: a local backup to a hard drive or optical media, and a remote backup to an online backup service or via physical media stored in a different location.

While data recovery is sometimes possible, it is extremely expensive and far from a guarantee that all your data will be restored. Therefore, and it is impossible to stress this too much: everyone should have at least three copies of their critical data (original, onsite backup, offsite backup).

Mr. Honan used the same credit card for his Apple and Amazon accounts. This allowed the hackers, once they had control of his Amazon account, to access his Apple account by providing the last four digits of the card.

While this is not possible for everyone, and we certainly don’t advise applying for a bunch of new credit cards, if you do have multiple cards, consider using separate cards for major online services, such as Amazon, Apple, and Netflix. This will prevent hackers who manage to hack into one of your accounts from using that information to gain access to your other accounts.

The hackers in Mr. Honan’s case were able to access his iCloud account because his iCloud account email prefix was the same as his Gmail email prefix. While it is appealing to have the same prefix across all of your accounts, it also increases your exposure to hackers. “Perhaps he uses the same “xxx” prefix to log into his bank account?” a malicious hacker might suppose.

So, if possible, be sure to use different log-in and email prefixes across your various online accounts. It may not have completely prevented the hack had Mr. Honan’s iCloud email address had a different prefix, but it certainly would have made it more difficult.

Mr. Honan’s situation was not entirely caused by his own lapses in proper security, of course. Ineffective policies at Apple, Amazon, and Google all contributed to the end result.

As users, we can “vote with our wallets” in an effort to persuade these companies to change their policies to prevent the kind of social engineering that occurred in Mr. Honan’s case, but we have no direct control over the way these companies establish their policies or how employees implement them. All the security in the world on the part of the user won’t help if a careless or disgruntled employee bends or breaks the rules.

And that is the reality that a digital society faces. We must acknowledge that all the benefits of electronic banking, communication, and commerce come with a price. Nothing that we allow to connect to or be transmitted by a worldwide network can ever be completely secure.

Thankfully, if we all take the time to improve our digital security and protect our irreplaceable data, our chances of being hacked decrease and the damage caused if we are hacked can be mitigated.